System and method for delegated administration

ABSTRACT

A system and method for delegating administration tasks comprising determining at least one capability for a first user based on evaluation of at least one role rule and delegating the at least one capability to a second user.

CLAIM OF PRIORITY

[0001] This application claims priority from ENHANCED PORTALS [FLAGSTAFFRELEASE], U.S. Provisional Application No. 60/386,487, Inventors: PhilGriffin, et al., filed on Oct. 24, 2001, and which is incorporatedherein by reference.

CROSS REFERENCES

[0002] This application is related to the following co-pendingapplication which is hereby incorporated by reference in its entirety:SYSTEM AND METHOD FOR RULE-BASED ENTITLEMENTS, U.S. Application SerialNo. ______, Inventors: Phil Griffin, et al., filed on ______.

COPYRIGHT NOTICE

[0003] A portion of the disclosure of this patent document containsmaterial which is subject to copyright protection. The copyright ownerhas no objection to the facsimile reproduction by anyone of the patentdocument or the patent disclosure, as it appears in the Patent andTrademark Office patent file or records, but otherwise reserves allcopyright rights whatsoever.

FIELD OF THE DISCLOSURE

[0004] The present invention disclosure relates to the field ofauthorization in computer networks and, in particular, delegation ofadministrative privileges in an enterprise application.

BACKGROUND

[0005] Administration of an enterprise application is typically carriedout by a system administrator who can perform tasks that are otherwiseoff-limits to non-privileged users. Such tasks can include administeringuser accounts, altering the layout and content of pages on a website,installing applications, running diagnostics, adding or removingcomponents to a network, or reconfiguring a network. However, asenterprise applications grow large and complex, so do the number ofadministrative tasks. One way to reduce the number of tasks that asystem administrator is responsible for is to distribute the tasks amonga number of administrators. This approach can be problematic, however,since administrators may unwittingly perform conflicting operations.Another problem with this approach is that it increases the likelihoodthat the security of the enterprise application will be breached sincesystem level privileges are entrusted to more than one individual. Whatis needed is a means to conveniently delegate system administrationprivileges while at the same time limiting the scope of such privileges.

BRIEF DESCRIPTION OF THE DRAWINGS

[0006]FIG. 1 illustrates delegation of capabilities in accordance to oneembodiment of the invention.

[0007]FIG. 2 illustrates an administrative hierarchy in accordance toone embodiment of the invention.

[0008]FIG. 3 illustrates delegation of administrative tasks inaccordance to one embodiment of the invention.

[0009]FIG. 4 illustrates a system in accordance to one embodiment of theinvention.

DETAILED DESCRIPTION

[0010] The invention is illustrated by way of example and not by way oflimitation in the figures of the accompanying drawings in which likereferences indicate similar elements. It should be noted that referencesto “an” or “one” embodiment in this disclosure are not necessarily tothe same embodiment, and such references mean at least one.

[0011] In one embodiment, delegated system administration involves theconveying of a capability (e.g., the ability to perform a systemadministration task) from one user to another, from a process to a user,from a user to a process, or from a process to a process. A process caninclude, for example, a thread, a distributed object, a lightweightprocess, or a program of any kind that is able to execute on one or morecomputers. In another embodiment, a process and a user are synonymous.By way of a non-limiting illustration, the conveyed capability caninclude any task, operation or privilege that is able to be performed onany resource available on a computer network. For example, if a resourceis a computer database, capabilities can comprise creating, reading,updating or deleting data contained therein. If the resource is anadministrative task, for example, capabilities can include creating anew user account, associating an existing user account with a usergroup, or delegating the ability to perform a system administration taskto a user.

[0012]FIG. 1 illustrates delegation of capabilities in accordance to oneembodiment of the invention. User 1 has capabilities A, B and C. User 1has delegated these capabilities to user 2. In doing so, user 1 alsoconveyed to user 2 the ability to further delegate these capabilities toothers. User 1 conveyed capabilities B and C to user 3, but with thecondition that user 3 cannot further delegate C. This is indicated inFIG. 1 by an underscore beneath the letter “C”. User 2 has delegated A,B and C to user 4, and capabilities A and B to user 5 with the conditionthat user 5 cannot further delegate capability B. User 3 has delegatedcapability B to user 6. User 3 cannot delegate capability C. Thus,different levels of users can be created with varying degrees of systemaccess. In one embodiment, each level of delegation can have the samecapabilities. In another embodiment, each subsequent level of delegationcan have the same or fewer capabilities.

[0013] A portal is a feature-rich web site. It provides a point ofaccess to enterprise data and applications, presenting a unified andpotentially personalized view of that information to employees,customers and business partners. Portals allow multiple web applicationswithin a single web interface. In addition to regular web content thatappears in a portal (e.g., text or graphics), portals provide theability to display portlets—self-contained applications or content—allin a single web interface (e.g., a web browser). Portals also supportmultiple pages through navigation mechanisms (e.g., tab-basednavigation) with each page containing its own content and portlets. Onesuch system is the WebLogic® Portal, available from BEA Systems, Inc. ofSan Jose, Calif.

[0014] In one embodiment, a portal user can be an administrator. Assuch, the user can create new portals, modify the privileges of visitorsand other administrators, and modify many of the attributes displayed inthe portal. In another embodiment, a portal user can belong to one ormore groups. Groups provide a means for organizing users with commoncharacteristics into a single category. For example, it might bedesirable to differentiate the web services offered to bank customerswith large assets versus small assets in order to serve these groupsbetter. An association between a portal and a user group is a Groupportal. Group portals allow for the definition of different views of aportal for different user groups, making it seem as if users in eachgroup are looking at completely different web sites. Multiple groupportals can be created within a single portal. In one embodiment, groupportals can be managed by delegated administration.

[0015] In addition to groups, in one embodiment of the invention, userscan also be organized into a hierarchy. In one embodiment, a hierarchycan include one or more users designated as system administrators(SA's), zero or more users designated as portal administrators (PA's),and zero or more users designated as group administrators (GA's). Thoseskilled in the art will recognize that many such hierarchies arepossible. In one embodiment, an SA is able to perform all systemadministration tasks, whereas a PA can perform administration tasks onlyfor a single portal, and a GA can perform administrative tasks only fora single group portal. In another embodiment, users are not organizedinto a hierarchy.

[0016] In one embodiment, initially there is a single user designated asan SA. The remaining users optionally belong to an “admin eligible”group. Membership in a group can be dynamically determined by evaluatingrules. Users belonging to the admin eligible group can be promoted toSA, PA or GA. In another embodiment, group membership is not aprerequisite to promotion. In one embodiment, an SA can promote users inthe admin eligible group to SA, PA or GA. Once promoted to SA, a usercan likewise promote others to SA, PA or GA. In another embodiment, a PAcan promote other users to PA or GA, and a GA can promote other users toGA. It will be apparent to those skilled in the art that user promotioncan be accomplished in a number of ways, including automatically viaevaluation of rules or manually via administrative tools.

[0017]FIG. 2 illustrates an administrative hierarchy in accordance toone embodiment of the invention. SA 10 has promoted users 11 and 12 toPA and user 13 to GA. User 12 has in turn promoted user 14 to GA anduser 15 to PA. User 14 in turn has promoted users 16 and 17 to GA. Inone embodiment, a user cannot promote another to a role higher thanitself. For example, user 14 could not promote user 16 to PA or SA. Inanother embodiment, users 11-17 belonged to the admin eligible groupbefore promotion.

[0018] In one embodiment, there are four administrative tasks that anadministrator (e.g., SA, PA or GA) can potentially control: usermanagement, portal page management, portlet management and visualappearance. In one embodiment, if an administrator has the capability ofmanaging users, the administrator can create users and optionally storeinformation about them. In addition, an administrator can also creategroups and add users to them.

[0019] In one embodiment, if an administrator has the capability ofmanaging portal pages, the administrator can control behavioral aspectsthat a visitor experiences when accessing a portal, such as whether aportlet is viewed as a maximized presentation or a minimizedpresentation within the page of origin. If an administrator has thecapability to alter the visual appearance, the administrator can modifya portal's look and feel, define and arrange the pages and portletsdisplayed in a portal, define the different views of the portal thatdifferent visitors see, and control access to pages and portlets withina group portal. By way of a non-limiting illustration, general portalvisual characteristics can include header and footer graphics, content,icon graphics, color schemes, cascading style sheets and hypertextmarkup language (HTML) layouts. In another embodiment, an administratorcan determine the appearance of a portal by selecting from the availableskins. A skin is a collection of HTML code and graphics that affect theappearance of a portal, for example, the colors and fonts used.

[0020] In one embodiment, if an administrator has the capability ofmanaging portlets, the administrator can define and modify the resourcesthat are available for a portlet. The administrator can also set portletdefaults, such as whether the portlet will be available to users,whether the portlet can be minimized, whether the portlet can bemaximized, etc.

[0021] Table 1 summarizes administrative tasks and their associatedcapabilities in one embodiment (parenthetical capability codes areprovided for use in FIG. 3): TABLE 1 Administrative Task CapabilitiesTask Capabilities User Management Manage (A₁), Delegate (A₂) PageManagement Manage (B₁), Delegate (B₂), Set Entitlements (B₃) PortletManagement Manage (C₁), Delegate (C₂), Set Entitlements (C₃) VisualAppearance Manage (D₁), Delegate (D₂) Management

[0022] In one embodiment, if an administrator possesses the “manage”capability, the administrator is permitted to manage the given task. Ifan administrator possesses the “delegate” capability, the administratorcan delegate the capability to another. Finally, if an administrator hasthe capability “set entitlements”, the administrator can define rolesfor dynamically associating users with resources. In one embodiment,roles allow for the definition of different views of a portal fordifferent users. By creating groupings of characteristics, such asgender, browser type, or date, any web site visitors who match thosecharacteristics dynamically become members of the role. Such dynamicroles are used to target visitors with campaigns and personalizedcontent, and to control the pages and portlets web site visitors canview.

[0023]FIG. 3 illustrates delegation of administrative tasks (see Table1) in accordance to one embodiment of the invention. SA 10 possesses alladministrative capabilities and can delegate all of them. SA 10 hasdelegated a subset of these capabilities to PA 11 and GA 13. PA 11 wasgranted all user, page and portlet management capabilities, but was notgranted any capabilities related to visual appearance management. GA 13was granted page and portlet management capabilities, but does not havethe capability to delegate these (i.e., B₂ and C₂). GA 13 was notgranted any capabilities related to user or visual appearancemanagement. PA 12 was granted the full set of capabilities from SA 10and in turn granted a subset of these to GA 14 and PA 15. GA 14 was onlygranted delegation capability for managing visual appearance, and thuswas able to delegate this capability to GA 16 and GA 17. GA 16 and GA 17cannot delegate D₁ since they lack D₂. PA 15 was delegated allcapabilities except the ability to delegate user management (A₂).Therefore, PA 15 can delegate B₁₋₃, C₁₋₃ and D₁₋₃, but not A₁.

[0024] In one embodiment, delegated administration can be implementedusing entitlements. An entitlement is a mechanism for dynamicallyassociating capabilities with a user. In one embodiment, an entitlementincludes a resource, a capability, a permission, and a role rule. Forexample, if evaluation of a role rule places a user in the role of SA,PA or GA, that user then possesses the capability associated with theresource, assuming that the permission allows it. A permission in oneembodiment can be grant, deny or abstain. A resource can include anyresource available on a computer network and, in another embodiment, aresource can include logical resources.

[0025] In one embodiment, resource names can be arranged in a taxonomy.A taxonomy provides a means of categorizing and uniquely identifying aresource and is hierarchical in nature. For example, a resource namecould be “myPortal.bankerGroup.pageMgmt.smith”. In this example,“myPortal” is the top level taxonomy name and serves to indicate thatthe resource is a portal named “myPortal”. The next part of the resourcename, “bankerGroup”, identifies a user group associated with the portal“myPortal” consisting of bankers. The third part of the resource nameindicates an administrative task (i.e., page management) for the groupportal “bankerGroup”. Finally, the last part of the resource nameidentifies a particular user, “smith”. Thus, the resource name in thisexample identifies a user “smith” that has been delegated at least onecapability associated with page administration, wherein the pageadministration is for the group portal “bankerGroup” within portal“myPortal”.

[0026] In one embodiment, a role rule is defined in terms of one or morelogical expressions. A role rule of “everyone” is provided as a defaultand evaluates to “true” for any user. In another embodiment, a role rulecan be based on evaluation of predicates. A predicate is a rule thatevaluates to true or false. By way of a non-limiting example, predicatesmay include other predicates, logical operators (e.g., AND, NOT and OR),mathematical operations, method calls, calls to external systems,function calls, etc. In another embodiment, rules can be specified inplain English. For example:

[0027] When all of these conditions apply, the user is a groupAdmin:

[0028] Administrative Skill Level at least 5

[0029] Trustworthiness is ‘High’

[0030] Time of day is between 12:00 am and 6:00 am.

[0031] In the example above, the role that is being determined is“groupAdmin”. The predicate “Administrative Skill Level is at least 5”evaluates to true when a user's predefined administration level is setto five or higher. The “Trustworthiness is High” predicate evaluates totrue if, for example, a predefined trustworthiness level is set to high.The “Time of day” predicate evaluates to “true” if the time of day isbetween 12:00 am and 6:00 am. It will be apparent to those skilled inthe art that any type of predicate can be included in a role rule. Tosummarize, this role rule allows a user to become a group administratorif their skill level is at least five, they are trustworthy and it isthe middle of the night. TABLE 2 Administrative Task EntitlementsResource Name Capability Role Perm myPortal.bankerGroup. manage (A₁)groupAdmin deny userMgmt myPortal.bankerGroup. delegate (A₂) groupAdmindeny userMgmt myPortal.bankerGroup. manage (B₁) groupAdmin grantpageMgmt myPortal.bankerGroup. delegate (B₂) groupAdmin deny pageMgmtmyPortal.bankerGroup. entitlements (B₃) groupAdmin grant pageMgmtmyPortal.bankerGroup. manage (C₁) groupAdmin grant portletMgmtmyPortal.bankerGroup. delegate (C₂) groupAdmin deny portletMgmtmyPortal.bankerGroup. entitlements (C₃) groupAdmin grant portletMgmtmyPortal.bankerGroup. manage (D₁) groupAdmin deny visualMgmtmyPortal.bankerGroup. delegate (D₂) groupAdmin deny visualMgmt

[0032] In one embodiment, by way of example, exemplary entitlements forGA 13 in FIG. 3 are listed in Table 2. The resource name indicates theportal, group portal, and administrative task for that group portal. Thecapability is a particular capability associated with the administrativetask, as in Table 1. The role rule being evaluated is groupAdmin, asabove. Finally, the last column in the table is the permissionassociated with the capability. Notice that GA 13 was not granted anycapabilities related to user or visual appearance management, ordelegation of portal and portlet management. These entitlements have apermission of “deny”. Thus, a user who dynamically satisfies the rolerule groupAdmin will be entitled to the granted capabilities associatedwith this role.

[0033] In another embodiment, by way of illustration, a user isassociated with an administrative role by incorporating the user's namein the resource name. Exemplary entitlements for GA 13 in FIG. 3 in thisembodiment are listed in Table 3. TABLE 3 Administrative TaskEntitlements Resource Name Capability Role Perm MyPortal.bankerGroup.manage (A₁) everyone deny userMgmt.smith MyPortal.bankerGroup. delegate(A₂) everyone deny userMgmt.smith MyPortal.bankerGroup. manage (B₁)everyone grant pageMgmt.smith MyPortal.bankerGroup. delegate (B₂)everyone deny pageMgmt.smith MyPortal.bankerGroup. entitlements (B₃)everyone grant pageMgmt.smith MyPortal.bankerGroup. manage (C₁) everyonegrant portletMgmt.smith MyPortal.bankerGroup. delegate (C₂) everyonedeny portletMgmt.smith MyPortal.bankerGroup. entitlements (C₃) everyonegrant portletMgmt.smith MyPortal.bankerGroup. manage (D₁) everyone denyvisualMgmt.smith MyPortal.bankerGroup. delegate (D₂) everyone denyvisualMgmt.smith

[0034] Since the role rule is “everyone”, every user will satisfy therole. Therefore, discrimination among users is based on the resourcewhich includes a user name. When evaluating entitlements in Table 3, theresource name is incorporated with the name of the user underconsideration. In this example, if the user is “smith”, the user will beentitled to the same capabilities as the groupAdmin in Table 2.

[0035] In another embodiment, a user is associated with anadministrative role (e.g., SA, PA or GA) through a mapping between usersand administrators. Those skilled in the art will recognize that such amapping can be implemented in a number of ways, including a databasetable, a cache, a function, or any combination thereof. In yet anotherembodiment, a user can be identified as an administrator based on groupmembership. For example, an SA belongs to the SA group, etc.

[0036]FIG. 4 illustrates a system in accordance to one embodiment of theinvention. In one embodiment, by way of example, a portal user (notshown) accesses portal 40 through a web browser, such as Microsoft®Internet Explorer available from Microsoft Corp. of Redmond, Wash. Theuser logs into the portal by typing a login name and password. Thisinformation is sent to authorization and authentication module 44 whichresponds with a set of groups (not shown) for the user. Portal 40 canuse the group information to customize the look and feel of the portalpage(s) presented to the user. If a user is an administrator, the usercan alternately log into admin tool 42 (e.g., via a web browser). Admintool 42 allows an administrator to perform delegation, promotion, definegroups, role rules and entitlements. Of course, a given administrator islimited in what they can do based on their capabilities. When anadministrator logs into admin tool 42, this information is sent to theauthorization module which returns a set of capabilities based on theevaluation of one or more role rules. Authorization module 44 canutilize database 46 to persist information related to users, groups,entitlements, capabilities, resources, and role rules. In oneembodiment, database 46 can be a relational database, an object-orienteddatabase, a flat file, a cache or any other data structure that allowsstorage and access information. In determining capabilities,authorization module 44 can evaluate one or more role rules to determinewhich entitlements are appropriate for a user. In another embodiment,all components in FIG. 4 may be part of the same software module. Inanother embodiment, the components may be arbitrarily grouped intodifferent software modules. All components shown in FIG. 4 may reside onthe same system or, in another embodiment, may be distributed in acomputer network.

[0037] The foregoing description of the preferred embodiments of thepresent invention has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit theinvention to the precise forms disclosed. Many modifications andvariations will be apparent to the practitioner skilled in the art.Embodiments were chosen and described in order to best describe theprinciples of the invention and its practical application, therebyenabling others skilled in the art to understand the invention, thevarious embodiments and with various modifications that are suited tothe particular use contemplated. It is intended that the scope of theinvention be defined by the following claims and their equivalents.

What is claimed is:
 1. A method for delegating portal administrativeauthority, comprising: determining at least one capability for a firstuser based on evaluation of at least one role rule; and delegating theat least one capability to a second user; and wherein the delegationestablishes whether or not the second user can delegate the capability.2. The method of claim 1 wherein: the delegated at least one capabilityis a subset of the at least one capability for the first user.
 3. Themethod of claim 1 wherein: the at least one capability is one of: usermanagement, page management, portlet management, portal entitlementmanagement, portlet entitlement management, and visual appearancemanagement.
 4. The method of claim 1 wherein: the first user and thesecond user have a hierarchical relationship and the second user ishierarchically equal or subordinate to the first user.
 5. The method ofclaim 1 wherein: the second user is promoted by the first user.
 6. Themethod of claim 1 wherein: the at least one role rule defaults toeveryone.
 7. The method of claim 1 wherein: the at least one role ruleis associated with an entitlement.
 8. The method of claim 7 wherein: theentitlement includes a resource name and a permission.
 9. The method ofclaim 8 wherein: the resource name is part of a taxonomy.
 10. The methodof claim 8 wherein: the resource name identifies the first user.
 11. Themethod of claim 1 wherein: the at least one role rule includes at leastone predicate.
 12. The method of claim 1 wherein: the at least one rolerule is specified in plain language.
 13. The method of claim 1 wherein:the at least one role rule associates the first user with a role. 14.The method of claim 13 wherein: the role is one of System Administrator,Portal Administrator, and Group Administrator.
 15. The method of claim 1wherein: the second user belongs to a group whose members can bepromoted.
 16. A method for delegating portal administrative authority,comprising: determining at least one capability for a first user basedon evaluation of at least one role rule; and delegating the at least onecapability to a second user; and wherein the delegated at least onecapability is a subset of the at least one capability of the first user.17. The method of claim 16 wherein: the first user controls whether thesecond user can delegate the at least one capability to a third user.18. The method of claim 16 wherein: the at least one capability is oneof: user management, page management, portlet management, portalentitlement management, portlet entitlement management, and visualappearance management.
 19. The method of claim 16 wherein: the firstuser and the second user have a hierarchical relationship and the seconduser is hierarchically equal or subordinate to the first user.
 20. Themethod of claim 16 wherein: the second user is promoted by the firstuser.
 21. The method of claim 16 wherein: the at least one role ruledefaults to everyone.
 22. The method of claim 16 wherein: the at leastone role rule is associated with an entitlement.
 23. The method of claim22 wherein: the entitlement includes a resource name and a permission.24. The method of claim 23 wherein: the resource name is part of ataxonomy.
 25. The method of claim 23 wherein: the resource nameidentifies the first user.
 26. The method of claim 16 wherein: the atleast one role rule includes at least one predicate.
 27. The method ofclaim 16 wherein: the at least one role rule is specified in plainlanguage.
 28. The method of claim 16 wherein: the at least one role ruleassociates the first user with a role.
 29. The method of claim 28wherein: the role is one of System Administrator, Portal Administrator,and Group Administrator.
 30. The method of claim 16 wherein: the seconduser belongs to a group whose members can be promoted.
 31. A method fordelegating portal administrative authority, comprising: determining fora first user at least one task having at least one capability; anddelegating the at least one capability from the first user to at leastone other user; and wherein the delegated at least one capability is asubset of the at least one capability of the first user.
 32. The methodof claim 31 wherein: determining for a first user at least one taskhaving at least one capability includes evaluting at least one rolerule.
 33. The method of claim 31 wherein: the at least one capability isone of: user management, page management, portlet management, portalentitlement management, portlet entitlement management, and visualappearance management.
 34. The method of claim 31 wherein: the firstuser and the at least one other user have a hierarchical relationshipand the at least one other user is hierarchically equal or subordinateto the first user.
 35. The method of claim 31 wherein: the at least oneother user is promoted by the first user.
 36. The method of claim 32wherein: the at least one role rule defaults to everyone.
 37. The methodof claim 32 wherein: the at least one role rule is associated with anentitlement.
 38. The method of claim 37 wherein: the entitlementincludes a resource name and a permission.
 39. The method of claim 38wherein: the resource name is part of a taxonomy.
 40. The method ofclaim 38 wherein: the resource name identifies the first user.
 41. Themethod of claim 32 wherein: the at least one role rule includes at leastone predicate.
 42. The method of claim 32 wherein: the at least one rolerule is specified in plain language.
 43. The method of claim 32 wherein:the at least one role rule associates the first user with a role. 44.The method of claim 43 wherein: the role is one of System Administrator,Portal Administrator, and Group Administrator.
 45. The method of claim31 wherein: the at least one other user belongs to a group whose memberscan be promoted.
 46. A method for delegating authority, comprising:determining for a first user at least one task having at least onecapability based on at least one entitlement; and delegating the atleast one capability from the first user to at least one other user; andwherein the delegated at least one capability is a subset of the firstuser's capabilities.
 47. The method of claim 46 wherein: determining fora first user at least one task having at least one capability includesevaluating at least one role rule.
 48. The method of claim 46 wherein:the delegated at least one capability is a subset of the at least onecapability for the first user.
 49. The method of claim 46 wherein: theat least one capability is one of: user management, page management,portlet management, portal entitlement management, portlet entitlementmanagement, and visual appearance management.
 50. The method of claim 46wherein: the first user and the at least one other user have ahierarchical relationship and the at least one other user ishierarchically equal or subordinate to the first user.
 51. The method ofclaim 46 wherein: the at least one other user is promoted by the firstuser.
 52. The method of claim 47 wherein: the at least one role ruledefaults to everyone.
 53. The method of claim 46 wherein: theentitlement includes a resource name and a permission.
 54. The method ofclaim 53 wherein: the resource name is part of a taxonomy.
 55. Themethod of claim 53 wherein: the resource name identifies the first user.56. The method of claim 47 wherein: the at least one role rule includesat least one predicate.
 57. The method of claim 47 wherein: the at leastone role rule is specified in plain language.
 58. The method of claim 47wherein: the at least one role rule associates the first user with arole.
 59. The method of claim 58 wherein: the role is one of SystemAdministrator, Portal Administrator, and Group Administrator.
 60. Themethod of claim 46 wherein: the at least one other user belongs to agroup whose members can be promoted.
 61. A system for delegatingauthority, comprising: an authorization module to determine at least onecapability associated with a first user based on evaluation of at leastone role rule; and an administration tool coupled to the authorizationmodule, the administration tool to delegate the at least one capabilityfrom the first user to a second user.
 62. The system of claim 61wherein: the first user controls whether the second user can delegatethe at least one capability to a third user.
 63. The system of claim 61wherein: the delegated at least one capability is a subset of the atleast one capability for the first user.
 64. The system of claim 61wherein: the at least one capability is one of: user management, pagemanagement, portlet management, portal entitlement management, portletentitlement management, and visual appearance management.
 65. The systemof claim 61 wherein: the first user and the second user have ahierarchical relationship and the second user is hierarchically equal orsubordinate to the first user.
 66. The system of claim 61 wherein: thesecond user is promoted by the first user.
 67. The system of claim 61wherein: the at least one role rule defaults to everyone.
 68. The systemof claim 61 wherein: the at least one role rule is associated with anentitlement.
 69. The system of claim 68 wherein: the entitlementincludes a resource name and a permission.
 70. The system of claim 69wherein: the resource name is part of a taxonomy.
 71. The system ofclaim 68 wherein: the resource name identifies the first user.
 72. Thesystem of claim 61 wherein: the at least one role rule includes at leastone predicate.
 73. The system of claim 61 wherein: the at least one rolerule is specified in plain language.
 74. The system of claim 61 wherein:the at least one role rule associates the first user with a role. 75.The system of claim 74 wherein: the role is one of System Administrator,Portal Administrator, and Group Administrator.
 76. The system of claim61 wherein: the second user belongs to a group whose members can bepromoted.
 77. A machine readable medium having instructions storedthereon that when executed by a processor cause a system to: determineat least one capability for a first user based on evaluation of at leastone role rule; and delegate the at least one capability to a seconduser.
 78. The machine readable medium of claim 77 wherein: the firstuser controls whether the second user can delegate the at least onecapability to a third user.
 79. The machine readable medium of claim 77wherein: the delegated at least one capability is a subset of the atleast one capability for the first user.
 80. The machine readable mediumof claim 77 wherein: the at least one capability is one of: usermanagement, page management, portlet management, portal entitlementmanagement, portlet entitlement management, and visual appearancemanagement.
 81. The machine readable medium of claim 77 wherein: thefirst user and the second user have a hierarchical relationship and thesecond user is hierarchically equal or subordinate to the first user.82. The machine readable medium of claim 77 wherein: the second user ispromoted by the first user.
 83. The machine readable medium of claim 77wherein: the at least one role rule defaults to everyone.
 84. Themachine readable medium of claim 77 wherein: the at least one role ruleis associated with an entitlement.
 85. The machine readable medium ofclaim 84 wherein: the entitlement includes a resource name and apermission.
 86. The machine readable medium of claim 85 wherein: theresource name is part of a taxonomy.
 87. The machine readable medium ofclaim 85 wherein: the resource name identifies the first user.
 88. Themachine readable medium of claim 77 wherein: the at least one role ruleincludes at least one predicate.
 89. The machine readable medium ofclaim 77 wherein: the at least one role rule is specified in plainlanguage.
 90. The machine readable medium of claim 77 wherein: the atleast one role rule associates the first user with a role.
 91. Themachine readable medium of claim 90 wherein: the role is one of SystemAdministrator, Portal Administrator, and Group Administrator.
 92. Themachine readable medium of claim 77 wherein: the second user belongs toa group whose members can be promoted.
 93. The method of claims 77wherein: the step of delegating can limit the scope of the capabilitydelegated.
 94. The method of claims 77 wherein: the delegating step canlimit the capability delegated to one or more of a manage capability, adelegate capability and a set entitlements capability.
 95. A system fordelegating authority, comprising: an authorization module to determineat least one capability associated with a first user based on evaluationof at least one role rule; and an administration tool coupled to theauthorization module, the administration tool to delegate the at leastone capability from the first user to a second user; and wherein thefirst user controls whether the second user can delegate the at leastone capability to a third user; and wherein the at least one role ruleis associated with an entitlement.
 96. The system of claim 95 wherein:the delegated at least one capability is a subset of the at least onecapability for the first user.
 97. The system of claim 95 wherein: theat least one capability is one of: user management, page management,portlet management, portal entitlement management, portlet entitlementmanagement, and visual appearance management.
 98. The system of claim 95wherein: the first user and the second user have a hierarchicalrelationship and the second user is hierarchically equal or subordinateto the first user.
 99. The system of claim 95 wherein: the second useris promoted by the first user.
 100. The system of claim 95 wherein: theat least one role rule defaults to everyone.
 101. The system of claim 95wherein: the entitlement includes a resource name and a permission. 102.The system of claim 101 wherein: the resource name is part of ataxonomy.
 103. The system of claim 101 wherein: the resource nameidentifies the first user.
 104. The system of claim 95 wherein: the atleast one role rule includes at least one predicate.
 105. The system ofclaim 95 wherein: the at least one role rule is specified in plainlanguage.
 106. The system of claim 95 wherein: the at least one rolerule associates the first user with a role.
 107. The system of claim 106wherein: the role is one of System Administrator, Portal Administrator,and Group Administrator.
 108. The system of claim 95 wherein: the seconduser belongs to a group whose members can be promoted.
 109. A machinereadable medium having instructions stored thereon that when executed bya processor cause a system to: determine for a first user at least onetask having at least one capability based on at least one entitlement;and delegate the at least one capability from the first user to at leastone other user; and wherein the delegated at least one capability is asubset of the first user's capabilities.
 110. The machine readablemedium of claim 109 wherein: the first user controls whether the atleast one other user can delegate the at least one capability to a thirduser.
 111. The machine readable medium of claim 109 wherein: the atleast one capability is one of: user management, page management,portlet management, portal entitlement management, portlet entitlementmanagement, and visual appearance management.
 112. The machine readablemedium of claim 109 wherein: the first user and the at least one otheruser have a hierarchical relationship and the at least one other user ishierarchically equal or subordinate to the first user.
 113. The machinereadable medium of claim 109 wherein: the at least one other user ispromoted by the first user.
 114. The machine readable medium of claim109 wherein: the at least one entitlement includes a resource name and apermission.
 115. The machine readable medium of claim 114 wherein: theresource name is part of a taxonomy.
 116. The machine readable medium ofclaim 114 wherein: the resource name identifies the first user.
 117. Themachine readable medium of claim 109 wherein: the at least oneentitlement includes at least one role rule.
 118. The machine readablemedium of claim 117 wherein: the at least one role rule includes atleast one predicate.
 119. The machine readable medium of claim 117wherein: the at least one role rule is specified in plain language. 120.The machine readable medium of claim 117 wherein: the at least one rolerule associates the first user with a role.
 121. The machine readablemedium of claim 120 wherein: the role is one of System Administrator,Portal Administrator, and Group Administrator.
 122. The machine readablemedium of claim 109 wherein: the at least one other user belongs to agroup whose members can be promoted.
 123. The method of claims 109wherein: the step of delegating can limit the scope of the capabilitydelegated.
 124. The method of claims 109 wherein: the delegating stepcan limit the capability delegated to one or more of a managecapability, a delegate capability and a set entitlements capability.